Author: Chris Gebhardt, Director of IT at Air Medical Resource Group
I’ll bet your IT Department fails this single HIPAA rule. I don’t venture to Las Vegas as I’m not a betting man, but I think the “odds are ever in my favor.”
Do you send patient data to other practitioners within your own network? I’m sure you do and you are allowed to as long as that network is protected and only authorized personnel can access it. HIPAA allows for communication between professionals in electronic methods. If the connection between your device and server uses TLS/SSL encryption (it most likely does), then the information passed is secure.
Here comes the bet. That information, while encrypted during transmission, is most likely not encrypted while it is sitting on the server. It is just sitting there in your or the recipient’s mailbox. Each message you send is saved to the server in your sent box and then again in their inbox. Whether it be a plain text file system or a database like SQL, they are both called a data store and can be accessed by nefarious individuals.
What gives me the advantage to saying such a thing? Simple. Most of the mail server software used by corporations do not install database encryption by default. So, unless your IT Department actively encrypted the mail database/store, your mail is sitting there in plain text, easily retrievable by a hacker, and in complete violation of HIPAA rules.
I’m sure your IT Department or HIPAA Security Officer has completed a risk assessment. After all, risk assessments have been shown to reduce OCR fines dramatically. But I bet they didn’t look for this one, simple, and somewhat easily fixable issue.
For the technically minded: Microsoft Exchange does provide native database/store encryption meaning there is no switch or level to throw that automatically enables at rest encryption. For Windows based system like Exchange, you have to use something like Bitlocker or other disk encryption systems. On Linux based systems, there is an option during install (normally), to encrypt the disk but not every system administrator chooses this option for fear of speed loss. Major mistake!
Did I win the bet? If not, Good! I’m happy to lose because that means patient data is protected. If I won, you have some work to do.